New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HAProxy / HAProxy Enterprise with acme.sh for cert renewal - ALL or NOTHING ? (Also renewal date is weird) #5088
Comments
Please upgrade to the latest code and try again first. Maybe it's already fixed. |
debug 2 here. Please note I have anonymized the domain and acme URL. [Fri Apr 12 12:13:56 UTC 2024] Lets find script dir. |
Here a screenshot showing that the domain indeed is valid for only three days ratner two month acme@xxx$ echo "show ssl cert /etc/hapee-2.8/certs/xxx.com.pem" |\socat /var/run/hapee-2.8/hapee-lb.sock - |
I have implemented the acme.sh script to renew HAProxy certificates with an external CA.
Whilst it is working great on both OSS HAProxy and Enterprise HAProxy, I am slightly confused where the renewals come from. Or rather the schedule as such.
You can create both crontab as well as a daemon to run the renewal and that works, BUT, there seem to be still a default renewal date configured of about two months.
So today for example I tested it with a certificate (GeoTrust TLS ECC CA G1)
And when I run a renewal of the cert that expires tomorrow and is only two days old, I am getting
[Fri Apr 12 11:46:37 UTC 2024] Skip, Next renewal time is: 2024-06-10T11:37:22Z
[Fri Apr 12 11:46:37 UTC 2024] Add '--force' to force to renew.
The certificate in question, however, has only a 3 day validity.
So the only way to get around of the 2 two months renewal is to indeed use the --force switch to renew them on your own schedule. That's of course fine but the other issue is that the implementation also seem to renew all certs deployed regardless of validity so if I for example have certs that expire in
3 days
3 weeks
3 months
I have to basically create a scheduled task that runs every three days so ALL certificates will be renewed every three days, which of course also means you get potentially charged every three days for all certs, despite their renewal not being due yet.
And before someone asks, no, we cannot change the 3 days one but also no, it does not ignore certs with longer renewals as acme will force the renewal regardless.
Any idea where the 2 months are configure and why that is ? Minimum term for Public DV certs is 3 days and not 2 months so it kinda makes no sense.
The text was updated successfully, but these errors were encountered: